In 2014, the Heartbleed exploit left everyone's log-in information potentially up for grabs thanks to one itty-bitty piece of code. But what is a person afraid for their security to do? Well, you should definitely change your passwords—regularly! By sheer brute force or simple phishing, passwords are, to be honest, a pretty laughable way of authentication.

What you really need is a second factor of authentication. That's why many internet services, a number of which have felt the pinch of being hacked, have embraced two-factor authentication for their users. It's sometimes called 2FA, or used interchangeably with the terms "two-step" and "verification" depending on the marketing. Even the White House has a campaign asking you #TurnOn2FA.

But exactly what is it?

As PCMag's lead security analyst Neil J. Rubenking puts it, "there are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options."

The problem is, we are far from ubiquity on having biometric scanners for fingerprints and retinas as that second factor. In most cases, the extra authentication is simply a numeric code; a few digits sent to your phone, which can only be used once.

More and more services support a specialized app on the phone called an "authenticator," which will do that same job. The app, pre-set by you to work with the service, has a constantly rotating set of codes you can use whenever needed—and it doesn't even require a connection. The arguable leader in this area is Google Authenticator (free on Android, iOS, and BlackBerry). Twilio Authy (free on iOS including Apple Watch, Android, BlackBerry, macOS, Windows, and the Chrome browser) and Duo Mobile (on iOS, Android, BlackBerry, and Windows Phone) do the same thing, and with far more color and style; both make Google's app look washed out and ancient. Password manager LastPass launched a 2FA authenticator for iOS and Android as well. The codes in authenticator apps sync across your accounts, so you can scan a QR code on a phone and get your six-digit access code on your browser, if supported.

Here's a video Google made about two-step verification basics; it provides a good idea of what's involved.

Be aware that setting up 2FA can actually break the access within some other services. For example, if you have 2FA set up with Microsoft, that's great—until you try to log into Xbox Live on the Xbox 360. That interface has no facility to accept the second code. In such cases you must rely on app passwords—a password you generate on the main website to use with a specific app (such as Xbox Live). You'll see it come up with Facebook, Twitter, Microsoft, Yahoo, Evernote, and Tumblr—all of which either are used as third-party logins or have functions you can access from within other services. The need for app passwords is, thankfully, dwindling with the passage of time.

Remember as you panic over how hard this all sounds: being secure isn't easy. The bad guys count on you being lax in protecting yourself. Implementing 2FA on accounts will mean it takes a little longer to log in each time on a new device, but it's worth it in the long run to avoid some serious theft, be it of your identity, data, or money.

The following is not an exhaustive list of services with 2FA ability, but we cover the major services everyone tends to use, and walk you through the setup. Activate 2FA on all of these and you'll be more secure than ever.

Google 2-Step Verification

With access to your credit card (for shopping on Google Play), important messages and documents, and even your videos on YouTube—essentially your whole life—a Google account has to be well-protected. Thankfully, the company has been working on 2FA systems since 2010.

Google calls its system 2-Step Verification. It's all about identifying you via phone. When you enter a password to access your Google account for almost any service, if 2-Step Verification is on, there are multiple options to get that second step. First among them now: the Google Prompt. You simply add your smartphone to your account, make sure the Google search app is on the phone, and at login, you can go to the phone and simply acknowledge that you were the one signing in. Easy.

If that doesn't work, you'll need to enter an extra code. That code is sent to your phone via SMS text, a voice call, or by using an authenticator app. On your personal account, you can opt to register your computer so you don't have to enter a code during every sign-in. If you have a G Suite account for business, you can opt to only receive a code every 30 days.

Google Authenticator—actually, any authenticator app—can generate the verification code for you, even if your smartphone is not connected to the internet. You must sign up for 2-Step Verification before you can use it. The app will scan a QR code on the desktop screen to give you access, then generate a time-based or counter-based code for you to type in. It replaces getting the code via text or voice calls or email. Authenticator apps also work with other services, like LastPass, WordPress, Facebook, Evernote, Microsoft, IFTTT, Dropbox, Amazon, and Slack.

Once you've set up Google 2-Step Verification, access it again by visiting your Google account security settings. There you can select the phone numbers that can receive codes, switch to using an authenticator app, and access your 10 unused codes that can be printed to take with you for emergencies (such as if your phone dies and you can't get to the authenticator app.)

This is also where you generate app-specific passwords. Let's say you want to use your Google account with a service or software that doesn't use the standard Google login (I ran into this with Trillian on iOS). You typically get shut out of such a service if you've got 2-Step Verification activated, and will need an app-specific password to get on them using your Google credentials.

Facebook Login Approvals

Facebook is the last place you want to lose control of an account; its version of two-factor authentication will help prevent that. It's called Login Approvals, and on the desktop you access it by going to Settings > Security. Click "Edit" next to Login Approvals and "Enable" on the top right.

Facebook defaults to having you authenticate via a Code Generator. You can do so via Facebook's built-in Code Generator or a third-party app.

To use the Facebook app, log in to a new Facebook session somewhere—like a friend's PC. When prompted for a code, navigate to the Code Generator in the Facebook app (More/three-line "hamburger" menu > Code Generator), which will display a six-digit number you type into the browser on the new PC; that number changes every 30 seconds.

If you want to keep all your codes in one place, use a third-party code-generating mobile app (such as Google Authenticator or Authy). Set it up on Facebook.com via Settings > Security > Login Approvals > Edit > Code Generator > Set up another way to get security codes. That will produce a pop-up with a QR code. Open your Authenticator app on your phone, aim it as the QR code on your PC's screen, and you're all set. When you sign in to Facebook from an unknown browser and it prompts you for a code, open the Authenticator app and type in the six-digit code in the Facebook section.

If you'd rather get a text message with a code than use a Code Generator, look for the "need another way to authenticate?" prompt when you sign in. If you have a phone number linked to your Facebook account, clicking that will give you the option to "Text me a login code"

These options require you to have access to your phone, of course. But when you activate Login Approvals, you can get a list of 10 recovery codes that you can download and use at any time, even if you don't have your phone. Get them on Facebook.com > Settings > Security > Login Approvals > Edit > Recovery Codes > Get Codes and save them somewhere safe.

Facebook has even added Security Keys (using USB or NFC capable devices as a key). Not that many people have them, but if you have one, consider using it. Just don't forget to take it with you.

App Passwords is another Facebook security feature. Use them to skip the Login Approvals process altogether by generating a one-time password to access your Facebook account via any third-party app or service. If you log out of that app or service and need to go back in, you'll have to generate a new, unique app password. This is necessary on things like Xbox 360, Skype, and Spotify, which can't use Login Approvals, but still benefit from Facebook access.

Instagram Two-Factor Authentication

Instagram, owned by Facebook, started a slow rollout of two-factor authentication to test users in 2016; sit tight if you don't have it yet. If you do have it, you can go into the mobile app and look under Settings for Two-Factor Authentication. Turn on "Require Security Code" and add your phone number. Include the country code, because Instragram is everywhere. You'll get a confirmation code via SMS text message. Enter it and 2FA is on.

The app then brings up a list of five backup codes you can use in the future to turn off 2FA, and even offers to take a screenshot of them to add to your camera roll as a backup of those codes; you can always re-access them in the app as well. In the future, you'll just get another 2FA code if you have to sign in again using a different device.

Twitter Login Verification

To activate Login Verification on Twitter.com, click your profile photo on the top right > Settings and privacy. Under Security, check the box next to Login verification. In the app, go to the Me menu, tap the gear symbol button > Settings > Account > Security > Login Verification and toggle it on (or off).

In the initial setup process, Twitter sends a code via text to your mobile phone. But if you go the SMS route, you only get to use one phone for one account.

So the better option is to select "Setup a code generator app" (like Google Authenticator or Authy) and scan the QR code that comes up.

Both of those menus also offer the option for a Backup code. Take a screenshot and save it in a safe place.

Twitter also offers temporary app passwords for signing into other accounts that use the Twitter login. You do this on the Password tab in the Twitter settings via the desktop; it's not an option in the mobile app. The temp is usually a 12-character combo of letters and numbers; it's good for about an hour. (This is NOT the same as the backup code mentioned above.) You can view the full list of applications that have access to your Twitter or that use your Twitter credentials.

Apple Two-Factor Authentication

Your Apple ID is a big part of your life if you're an iOS or Mac user. It's important for not just access, but also storage via iCloud, purchases at iTunes, iBooks, and the App Store, and membership at Apple Music.

You are then furnished with steps on how to set up 2FA for Apple using either an iOS device or via macOS. You can't do it via a browser on another operating system anymore. On iOS you go to Settings > iCloud, sign in, tap the arrow next to your Apple ID > Password & Security > Turn on Two-Factor Authentication. On macOS go to > System Preferences > iCloud, sign in, click Account Details > Security > Turn on Two-Factor Authentication.

You'll have to answer two of your three pre-set security questions and re-confirm your credit card on the account to get into the setup. Then you have to enter a valid phone number to get a text or phone call (even if it's the number already on the phone you're using for setup). If it is the same phone, the six-digit code will be entered automatically when it arrives, or just type it in.

To get a code when needed, go back to iCloud settings, tap your username at top (you'll likely need to enter your full Apple ID password again) > Password & Security > Get Verification Code. This means sometimes you enter a circular-logic world where you need to get a code on the very device where the code has to be entered.

Apple also supports app-specific passwords. The option to get a "Recovery Key" code that you use to make changes when (probably not if) you lose your password or "trusted device" was removed when iOS 9 came along.

You can always turn off Apple 2FA in iCloud settings, but then you have to go back to security questions ("Who was the best man at your wedding?" etc.) to verify your ID, and no one wants that.

Microsoft Two-Step Verification

Microsoft has done a much better job in the last few years of tying together all its services under one umbrella account. I use mine for Outlook.com, OneDrive, Xbox Live, Skype, an Office 365 subscription, and more. Naturally, it should get some extra protection.

Microsoft will first suggest you get an app password to set up Outlook.com to sync with the email on mobile devices, then suggest a few other services that may need app passwords: Xbox 360, Windows Essentials (like Movie Maker), even Zune Desktop. You can go in later to generate app passwords.

You can then enter the "Set up an identity verification app" section. Microsoft recommends the use of an authenticator app because makes its own for Windows Phone, iOS, and Android, which it will push on you to install. Thankfully, it also works with other standard authenticator apps, like Google Authenticator and Authy—but to use them, you must pick "other" during the setup. Scan the QR code displayed.

Or you can skip the authenticator. If you do, Microsoft logins will still try to get you to use an app, but provide a link to other methods for getting a 7-digit verification code: text or email. Even if you choose text, it has to go to a phone you've pre-registered, and even then, Microsoft will make you re-enter the last four digits of the phone number as an extra bit of confirmation.

As you continue the setup, Microsoft provides a recovery code for you to write down and keep safe, a 25-digit whopper (like the kind it uses on everything from software registrations to Xbox giveaways). Microsoft also supports Trusted Devices, which is hardware that doesn't require you to enter any codes—you'll see a checkbox to mark a device (like a Windows 10 PC) as trusted when you log into it. Go back to security settings to revoke trusted devices all at once if you lose one. Microsoft automatically removes any trusted device you haven't logged into in two months; just trust it again on the next login.

Yahoo Account Key or 2-Step Verification

To set up verification at Yahoo, access your Personal info (look for your name, or the link to Sign In, in the upper right of any Yahoo page).

Click Account Security and you'll see the Two-step verification toggle, making it incredibly easy to turn on and off with the flip of a virtual switch on the screen. It will immediately confirm the phone number on your account, or ask for a new one and send a 5-digit verification code. It also warns you that certain apps won't work with second sign-in verification, including Outlook and the mail apps on iOS and Android—those will require App Passwords.

There is no option to use a third-party authenticator app. However, the Yahoo Account Key is the next best thing. If you have a Yahoo-based app on your smartphone—be it Yahoo or Yahoo Weather or even Flickr—Yahoo Account Key can send a notification to that app. You get the notification, push a button to confirm it's you, and that's it—no codes to enter. It's very similar to Google's Google Prompt option. You can try a sample prompt to see how it works. If you activate it, Yahoo deactivates two-step verifcations.

After you set up two-step verification, the Sign-in and Security list gets another option: "Generage app passwords." When you're ready to access Yahoo services like mail on devices like iPhone, Android phones, or via Outlook, etc., you'll go here to create the new unique password that will hook you up.

Evernote Two-Step Verification

To set it up, sign in with a desktop browser and enter your Evernote Account Settings. The left nav will show the Security Summary link. The choices here are simple: put in an email, change your password, and enable Two-Step Verification. When you click enable, it will pop up this warning about using the most recent versions of Evernote to take advantage of the extra security:

Evernote supports authenticator apps—but only supports text messages if you have a paid Evernote premium account. That's right, you pay to get the less secure option! You'll need to verify the email and the phone numbers (you can have two) on the account. It also provides four backup codes for you to write down and save—in fact, you need to enter one to finish the setup. Don't store these codes in Evernote—you'll need them when you can't get access.

Finally, Evernote will point out all the third-party apps you use with its service that may now require a verification code, which includes mobile apps, browser extensions, and even IFTTT if you use it—but thankfully they won't need app passwords. To manage or generate new app paswords, go into the Security Summary and click Managed Settings.

Dropbox Two-Step Verification

Dropbox on the desktop website has a tab called Security. It's where you go to check how many current sessions are logged in and devices are using the account, to change the password, and, of course, turn on Two-step verification. Click the enable link, enter a password, and you'll be asked if you want to get security codes via SMS text message or use a mobile authenticator app.

If you choose text, enter a phone number and receive a code immediately; you also get to enter a backup number, plus receive a 16-digit number you should record that will allow you to deactivate two-step verification, if needed. If you choose the authenticator app, you'll see a QR code on-screen to scan. Other options include use of a USB or NFC security key, if you've got one. Dropbox provides excellent instructions.

LinkedIn Two-Step Verification

The social network LinkedIn uses text messages to receive authentication codes. You can access the "Turn On" link to activate it on the Account Settings page. Click the Privacy tab, then scroll to the bottom. There is no option for using an authenticator app.

Enter your mobile number and you'll immediately get a six-digit code you have to enter to verify you're you. Like Twitter, you only get one number (no backup). Unlike many other services, LinkedIn doesn't provide extra codes for getting around Two-Step Verification—in fact, turning it off is as simple as clicking the "Turn Off" link on the same page. It's not very secure, but still better than a password-only approach.

Snapchat Login Verification

Snapchat is a mobile-only service, so the only way to set up 2FA is via the mobile app. Open it up, click the ghost icon/your avatar at the top, and you're in the account screen. There's a gear icon on the upper right to access Settings.

Click the Login Verification line, click Continue after the warning page, and you'll immediately get a text on the device. Enter it on the next screen, and you're verified. You'll remain verified until you tell the app to forget it. To turn it off on that device, just click the software toggle switch. In fact, you can tell Snapchat to forget on other devices, if they've been verified. You should also generate a Recovery Code here and store it somewhere safe in case your phone goes missing.

If you prefer, this same page is where you can set up an authentication app. What's interesting is, you're probably (like me) setting up the Snapchat login verification on the same device the authentication app is installed on. You get three options—the first is to Set Up Automatically, which I tried, but Snapchat didn't see my installed authentication app (Authy)—Snapchat apparently likes Google Authenticator and Duo best. I clicked Set Up Manually instead and got a QR code—but I couldn't exactly scan it on the same screen. However, Snapchat did provide a 32-digit code for me to copy—by hand. Ugh.

These are the things that prevent people setting up better security, which is exactly why I didn't set up the authentication app for Snapchat, and stuck with the SMS verification.

PayPal Security Key

As a service dedicated to making payments, it's best that PayPal be as secure as possible. Log in, click the Profile menu at the upper right, and access My Profile. Click My Settings > Security Key. On the next page, click "Get Security Key." Register your phone number, verify it when the six-digit "One Time Pin" (OTP) code is texted to you, and from then on you'll need a new OTP every time you want to access PayPal anew. EVERY time. Access the PayPal Security Key Setup on this page by clicking the link at the bottom.

Square 2-Step Verification

This implementation of 2FA by Square is strictly for the online Square Dashboard. But thankfully you don't need this kind of thing for the credit card transactions, which are encrypted end-to-end, with no data stored locally on your mobile device/terminal.

Once a master account has 2FA activated, all employees will need to set up 2-Step Verification; once they log into the shared dashboard, they'll get emailed instructions on how to proceed. New employees will be asked to set it up when they first access the dash. Click the "Remember this Device for 30 days" option so you don't have to enter the 2FA code Every. Single. Time.

Venmo Verification

Venmo, the popular mobile app for sending payments, baked in the 2FA option (using SMS texts only) almost from the get-go. With it on, you'll get warnings when apps that haven't been validated try to use the account.

When you sign up, you have to verify your account via a phone number. You can't even use Venmo without it. You can also verify an email. Once a device is verified, Venmo remembers it and you shouldn't need to verify again. But you can always go to the Security Settings to remove saved devices—handy if you log in with a public PC or give up an old phone with access.

Your options: use an authenticator app like Authy, or get codes via text message. The former gives you a QR code to scan. The latter starts sending SMS messages to your mobile phone. Like the rest, you get a backup code option—copy it down someplace safe in case you get locked out of IFTTT.

MailChimp Two-Factor Authentication

MailChimp's two-factor authentication setup couldn't be easier. Sign in on the desktop, go to Settings > Security, and the top section is a button to Configure Google Authenticator—but it works for setting up any authenticator app. You can also put in a mobile number below for receiving a code via SMS text—you'll need that if you switch phones and don't have access to the authenticator app. Plus, when you log in, you can click a link below the "passcode required" box to get it via SMS immediately, which is a nice option.

Kickstarter Two-factor Authentication

Kickstarter is the top place to stop for great crowdfunded projects, but if your credentials get stolen you don't want crooks going hog-wild pledging your support for a lot of the lesser items displayed there.

You should immediately visit your Kickstarter Account and click where it says "Set up two-factor authentication." Kickstarter supports not just SMS texts and authentication apps, but getting codes via voice calls as well.

Even if you use the authenticator app (scanning a QR code), you still have to enter a phone number to verify as a fallback recovery method of getting codes.

Kickstarter's implementation is a clean example of what 2FA is all about—multiple options, all to keep you safe. It doesn't offer app passwords or backup codes, but that generally indicates they're not really needed.

WordPress.com Two-Step Authentication

WordPress.com—where you host a blog—offers up 2FA support by way of SMS text messages, and use of an authenticator app. Log in on the desktop and click your gravatar icon in the upper right, then click Security, and Two-Step Authentication.

On the next page, pick a country, enter a phone number for an SMS-capable phone, then pick either Verify via SMS or Verify via App. The latter brings up the QR code for your authenticator app to scan.

Next, you'll get a 7-digit code to enter and confirm it all. When WordPress asks you to print out or keep your backup codes, don't skip it. You may need them in the future if you forget a password or lose/erase your phone with the authenticator app. WordPress also supports app passwords as needed. Click Connected Applications in the security settings to see what apps are connected to your WordPress, and delete those no longer in use or that you don't recognize.

Tumblr Two-Factor Authentication

You might not expect Tumblr (which is owned by Yahoo but requires a separate sign-in) to need much security, but hey, you don't want someone else posting animated GIFs on your account! Plus, Tumblr had a serious breach in 2013, so better safe than sorry.

Simply sign on and visit your Account page. Find the toggle for two-factor authentication. Activate it and you're immediately asked to verify your phone number, which you should have already set up to make audio posts. If not, do it. Request a verification code and enter it fast, as it expires after two minutes. You can also use an authenticator app, but can't activate it until after you set up the phone number for texting.

Once that's all set, you have the option to generate 16-character mobile app passwords—you'll need them to access Tumblr for iOS and Android.

Amazon Two-Step Verification

The biggest retailer—and provider of so much more—needs some extra protection. Amazon added 2FA support late in 2015 and it's pretty important to turn on, as Amazon has its fingers in many pies like Comixology, Audible.com, and sites that use Amazon for payments—all tied to your credit card.

Open up Amazon.com on the desktop, click the Your Account drop-down menu and go to Your Account. Click on Login & Security Settings. On the next page, click Edit next to Advance Security Settings. Two-Step Verification is here, and offers two options: the preferred method is the authenticator app (scan the QR code, you must have this down by now). Phone number entry (multiple numbers, actually) is the backup.

A nice option with Amazon is the ability to tell the service to skip the codes on select devices—say a PC that you and you alone have access to. If that option doesn't work later, you can come back to this page and click "Require codes on all devices."

Sony PlayStation 2-Step Verification

2FA is relatively new to the PlayStation Network. You have to activate it by visiting the Sony 2-Step Verifcation page and clicking the "Activate now" button. Sign in again with your Sony PS credentials, click Edit (it's next to the Status field), enter your phone number, then enter the code Sony texts to that same number. You should sign out then, and on all your active PlayStation sessions so you can log back in everywhere with full 2FA security.

You can also do it from the PlayStation 4 itself. Got to Accounts > Security > 2-Step Verification. Click Set Up Now, verify your number, and you'll get a text with the code. MonkeyFlop provides an entire video on the setup below.

Sony doesn't support any authentication app. However, it does provide backup codes for you to save for later. And, Sony absolutely requires app passwords—you'll need them to sing in on devices like the PlayStation 3 or PS Vita.

GoDaddy Two-Step Authentication

GoDaddy is a leader among not just web hosting but also domain name registry. You want to double up the security if you've got a very important domain or two in your possession, so they don't get stolen.

Log into the GoDaddy Account Manager, click Login & PIN. The Two-Step Authentication is right there in a box, with a Set Up button. You can use an SMS-enabled phone, to which GoDaddy will send a code for you to validate your 2FA setup. Add a second phone number as backup, if you like. Or, set up an authenticator app with a quick QR code scan.

You can go to the same spot in settings to disable 2FA (not that you ever would) or to change your phone information. GoDaddy doesn't supply any backup codes or app passwords. If you click on the edit button in the 2-Step Verifcation box, there's one other nice option: you can ask for verification for every login or only for "high risk transactions only."

Dreamhost Multifactor Authentication

Dreamhost is one of PCMag's top-rated Web Hosting Services. Thankfully, it's embraced some extra security for its users, beyond the username and password, settling on a 2FA scheme that requires an authenticator app (it recommends Google Authenticator since it's ubiquitous across all smartphones and third-party services).

Once signed in, navigate via the control panel to Billing & Account > Security, and go to the second section entitled Multifactor Authentication. Re-enter your password and in the menu, select either "Google Authenticator, Time-Based (recommended)" or "Google Authenticator, counter-based." The former is the way to go; the latter requires manual refreshes. You'll get a QR code to scan plus a 16-digit secret key—but you know the drill, just scan the code with your smartphone camera while in the authenticator app of your choice. Enter the 6-digit passcode that comes up on the phone in the field on Dreamhost and activate.

Don't forget to save your backup codes for offline use when you need to access Dreamhost sans phone.

TeamViewer Two-Factor Authentication

TeamViewer is a great way to take remote control of another person's computer (it's our Editors' Choice)—and that's a good reason to make sure it's secure. Log in to your TeamViewer account on the web at login.teamviewer.com. You'll see a list of the other computers with which you can usually connect. Your name should appear at the upper right as the header for a drop-down menu. From that menu, select Edit Profile.

The pop-up that appears will show two-factor authentication as the third choice. Click Start Activation. TeamViewer only allows 2FA through authenticator apps—no texting or other codes sent to your phone. In fact, you'll have to use the app to get a code from the app immediately to verify your 2FA; TeamViewer throws up a 16-digit backup code for you to copy and save right after.

You'll need a code from the authenticator app whenever you log in to TeamViewer software or apps in the future, but it won't impact generating TeamViewer codes to remotely control other PCs.

LastPass Multifactor Authentication

Some hack attacks aside, we've long considered LastPass just about perfect software here at PCMag, giving it 5-star Editors' Choice awards for years, even for the free version. It's one of our Best Password Managers for 2017. But could a password manager be even more secure? Of course it could, if you haven't yet turned on 2FA.

As befits a heavy-duty security option, LastPass touts its support for a slew of authentication apps, including Google Authenticator, Authy, and Duo, as well as its own LastPass Authenticator—and third-party hardware that can use your body for fingerprints, or smart cards or USB drives only you should be carrying. LastPass has separate instructions available for all of them; some only work with the premium version of LastPass. Codes via SMS text aren't an option.

In keeping with other services that use authenticator apps, here's what you do: Log in to LastPass on a desktop browser, go to LastPass Icon > My LastPass Vault > Account Settings, and click "Multifactor Options." Scroll to the Google Authenticator option (even if you're using another authenticator app). You'll get the usual QR code to scan with your app on the smartphone.

Next time you log in, you'll need the code from the authenticator app. As expected.

Dashlane Two-Factor Authentication.

Our other favorite password manager is Dashlane, which also scores a 5-star EC rating and supports 2FA. You have to turn it on via the desktop using the software for Windows or Mac OS—you can't turn it on with the mobile apps, but you'll need an authenticator app on the smartphone to scan the QR code.

In the desktop program, go to Tools > Preferences (or Dashlane > Preferences on Mac), open the Security tab, and click Two-Factor Authentication to toggle it on. You get the option to only use codes when adding a new device or every time you log in. (You can't go back and forth between these options later without turning 2FA off and then back on, so choose wisely.) You then get the standard QR code to scan, or a key to enter in the app; when you do, enter the new code generated by the authenticator app back into Dashlane. Put in the fallback phone number as backup, and print out the backup codes in case you need them.

TurboTax Two-Step Verification

You can help yourself by turning on 2FA if you use e-filing software/services. The top-of-the-line option is Intuit TurboTax, our Editors' Choice and among our picks for The Best Tax Preperation Software of 2017. Once you've signed in on the desktop browser—which in my case required a code texted to me even before I turned on 2FA!—click My Account at the top and enter Account Settings. Click security and the link to turn it on next to Two-Step verification. If you've already entered a phone number, it should appear here so you can verify by text or voice call. It was that easy to turn on for SMS text codes.

Once that's on, the option to Turn on Authenticator App appears below it. Click the button and, for some reason, it asks what kind of smartphone you use; iPhone, Android, or BlackBerry are the choices. It probably doesn't matter much, as the QR code comes up next, plus manual entry code if needed, and once you enter it in the app, put the 6-digit verification back into TurboTax and you're set. The phone number remains in the system for fallback.

(Note, I had some issues getting the authenticator app setup to work via Google Chrome and had to go into Microsoft IE to make it happen.)

It appears other tax services like TaxAct and H&R Block have yet to embrace 2FA.

Nest

Nest is a big name in smart homes. It pays to lock down an account controlling your thermostat, smoke detectors, and surveillance cameras. The company, after all, had some security issues in the past. Nest's 2FA doesn't work with authenticator apps; it only sends texts codes for logging in.

Log in to the Nest mobile app on your smartphone or tablet. Click on the three-line "hamburger" menu, and click Account > Managed Account > Account Security, where you'll find a 2-step verification option. Re-enter a password, give them your mobile phone number, and tap "send code." Enter the six-digit code you get via SMS text and you're set. You can turn off 2FA any time by going back to this menu, then you'll be back to password-only access.

WhatsApp

With well over a billion users and worries aplenty these days about people hacking phones, WhatsApp introduced end-to-end encryption as well as two-step authentication to keep out snoops, be they at home or sitting right there at the NSA, CIA, and FBI (Hi, Agent Mulder!).

Setup is easy: Go into Settings > Account > Two-step verification. Click Enable and things get a little different here: WhatsApp asks you for a six-digit PIN to use to register your phone number with WhatsApp. You'll also give them an email in case you ever need to do a reset—aka, turn off the verification. This isn't really like other 2FA setups since it doesn't have an ever-changing code to get access—it's more of a secondary password. But better to turn it on than not.

Etsy Two-Factor Authentication

You'd think a kitchy shopping galleria like Etsy would be safe, but hey, your credit card is out there. Lock down the marketplace. Etsy provides 2FA for exactly that purprose. Go to You > Account Settings > Security on a desktop browser. You'll have to give up your phone number to get codes via calls or texts. You'll need a new code with every new browser you log into, plus you get forced to use a new code that's texted to you every 30 days—keep it handy for your next login. Etsy also provide backup codes to keep around for when/if you want to turn off 2FA. See this page of security info for more.

Steam Guard

Much like how Facebook and Twitter require their own apps for people to authenticate their accounts, Steam authentication codes for its 2FA —dubbed Steam Guard—come in via the Steam mobile apps for iOS and Android. (You have the option to get codes by email, but that's as secure as leaving your front windows open year round.)

The account settings on the desktop make it look like you can sign up for Steam Guard, but it will send you to the mobile app to do the setup. From the three-line "hamburger" menu, log into your account settings and select Steam Guard > Settings. Here you can turn it off, get codes by email, or get "codes on my phone."

Steam makes you put in your phone number, to which it will send a code to set up the authentication and a recover code you should write down. After that, the only way to log into Steam anew is to have that app with you to get the authentication code; it'll appear right at the top of the screen when you go into the Steam Guard section in the future.

Eric narrowly averted a career in food service when he began in tech publishing at Ziff-Davis over 20 years ago. He was on the founding staff of Windows Sources, FamilyPC, and Access Internet Magazine (all defunct, and it's not his fault). He's the author of two novels, BETA TEST ("an unusually lighthearted apocalyptic tale"--Publishers' Weekly) and KALI: THE GHOSTING OF SEPULCHER BAY. He works from his home in Ithaca, NY.
More »